Skip to content

Commonmarker vulnerable to to several quadratic complexity bugs that may lead to denial of service

Moderate severity GitHub Reviewed Published Apr 11, 2023 in gjtorikian/commonmarker • Updated Apr 11, 2023

Package

bundler commonmarker (RubyGems)

Affected versions

< 0.23.9

Patched versions

0.23.9

Description

Impact

Several quadratic complexity bugs in commonmarker's underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

For more information, consult the release notes for version 0.23.0.gfm.10 and 0.23.0.gfm.11.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.9.

References

@gjtorikian gjtorikian published to gjtorikian/commonmarker Apr 11, 2023
Published to the GitHub Advisory Database Apr 11, 2023
Reviewed Apr 11, 2023
Last updated Apr 11, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-48wp-p9qv-4j64

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.